Security Policies and Implementation Issues

Security Policies and Implementation Issues

Chapter 12

Incident Response Team (IRT) Policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective

Describe the different information security systems (ISS) policies associated with incident response teams (IRTs).

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

2

Key Concepts

Incident response policies

Team members associated with incident response

Emergency services related to IRTs

Policies specific to incident response support services

Policies associated with handling the media and what to disclose

Business impact analysis (BIA) policies

Business continuity plan (BCP) policies

Disaster recovery plan (DRP) policies

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

3

Incident Response Team (IRT)

Cross-functional team

Organized and coordinated

Various skills

Usually only responds to major incidents

Minor incidents considered part of normal operations

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

4

Definition of an Incident

Any event that violates security policy

Unauthorized access to data

Unauthorized modification of data

Disruption of service

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

5

Classifying Breach by Attack Vector

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Attack Vectors

SQL injection

Malicious code or malware

Insecure remote access

Insecure wireless

Improperly segmented network environment

Classifying an Incident

Develop a classification system

Varies by industry type

Should meet legal and regulatory obligations

Common approach is to use categories that assess threat level

Malicious code

Denial of Service

Unauthorized access

Inappropriate usage

Major vs. minor

Major incidents are significant

Determination based on risk to organization

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

7

Forming an Incident Response Team

Develop a charter

Determine IRT Model

Set goals (e.g., response time)

Identify Team Members

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Team Members

Information Technology

Information Security

Human Resources

Legal

Public Relations

Business Continuity

Data Owner

Management

7/17/2014

8

Organizational Structure

Roles & Responsibilities

Information Flow

Authority & Reporting

Goals

Team responsibilities

Incident Declaration

Definitions

Declaration process

Team alignment

Member management

For team members

Communications

How goals are achieved

Level of authority

Source of authority

Summary

Mission Statement

Methods

Charter Sections

IRT Models

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

9

On-Site Response

Supporting Role

Coordination

Coordinates several local teams

Full authority to contain breach

Technical assistance to local team

Roles and Responsibilities

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

IRT Manager

This individual makes all the final calls on how to respond to an incident, they are the interface with management

IRT Coordinator

They act as the official scribe of the team. All activity flows through this person who maintains the official records of the team

Users

May have supporting role in IRT as data owner representatives

System Administrators

The subject matter experts (SMEs) chosen for each incident response effort will vary depending upon the type of incident and affected system(s)

Information Security Personnel

These team members may also have specialized forensic skills needed to collect and analyze evidence

Management

Ultimately, management is held accountable for the outcome of the incident response effort May have supporting role in IRT as data owner representatives

7/17/2014

10

Incident Response Support Services

This is a broad category to mean any team that supports the organization’s IT and business processes

Example: The help desk is a support services team

During an incident, the help desk may be in direct contact with the customer who is impacted by the attack

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

This is a broad category to mean any team that supports the organization’s information technology (IT) and business processes

The helpdesk for example would be a support services team

During an incident, the helpdesk may be in direct contact with the customer who is impacted by the attack

The helpdesk, at that point, becomes a channel of information on the incident

It’s vital that the helpdesk during an incident is providing a script of key talking points about the incident

7/17/2014

11

Incident Response Support Services (Continued)

The help desk, at that point, becomes a channel of information on the incident

It’s vital that the helpdesk during an incident is providing a script of key talking points about the incident

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The Incident Response Process

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

13

Plan and Train

Discover and Report Incident

Contain

Clean Up

Analyze and Prevent

Report

BIA Policies

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identifies assets required for business to recover and continue doing business

BIA may be based on multiple worst-case scenarios

Key assets include critical resources, systems, facilities, personnel, and records

BIA should contain security breach scenarios

BIA Policies (Continued)

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identifies recovery times

Used for information security and non–information security purposes

Identifies adverse effects on the organization

Identifies key components

Key Objectives of the Business Impact Analysis (BIA) Policy

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identify resources required to recover each component

Identify human assets needed to recover these components

Identify dependencies, such as other BIA components

Business Continuity Planning Policies

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Creates a road map for continuing business operations after a major outage or disruption of services

Establishes the requirement to create and maintain the plan

Provides guidance for building a plan

Includes key assumptions, accountability, and frequency of testing

Business Continuity Planning Policies (Continued)

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Must clearly define responsibilities for creating and maintaining a BCP plan

Identifies responsibilities for its execution

Covers the business’s support structure

BIA, BCP, and DRP

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

BIA

Drives the requirements for the BCP

BCP

Drives requirements for the DRP

DRP

Policies needed to recover IT assets after a major outage

Best Practices in Incident Response

Effectiveness of the IRT and its related policies needs to be measured

Measurement should be published annually with a comparison to prior years

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Best Practices in Incident Response (Continued)

Measurements should include the goals in the IRT charter, plus additional analytics to indicate the reduction of risk to the organization, such as:

Number of incidents

Number of repeat incidents

Time to contain per incident

Financial impact to the organization

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Summary

Incident classifications

Roles and responsibilities associated with incident response team policies

Incident support services

Best practices to create an incident response team policies

BIA, BCP, and DRP policies

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

22


Comments are closed.